1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
|
The header section
The header section consists of an ASCII string as long as necessary.
The character data is compressed by zlib.
( spaces were added for readability )
Header defitiont found in http://www.arsdata.com/SMART/whitepaper.html
1 \n
main \n
c \t n \t a \t e \t t \t m \t u \t p \t r \n
case number \t evidence number \t unique description \t examiner name \t notes \t acquired date \t system date \t pwhash \t char \n
case number, evidence number, unique description, examiner name, and notes are free form strings (except for \t and \n)
acquired date, and system date are in the form "2002 3 4 10 19 59", which is March 4, 2002 10:19:59
pwhash the password hash should be the character '0' for no password
char contains one of the following letters
b => best compression
f => fastest compression
n => no compression
Header definition found in FTK Imager 2.3
A fifth line is present which is empty
1 \n
main \n
c \t n \t a \t e \t t \t av \t ov \t m \t u \t p \t r \n
case number \t evidence number \t unique description \t examiner name \t notes \t version \t platform \t acquired date \t system date \t pwhash \t char \n
\n
case number, evidence number, unique description, examiner name, and notes are free form strings (except for \t and \n)
acquired date, and system date are in the form "2002 3 4 10 19 59", which is March 4, 2002 10:19:59
version is the Encase version used to acquire the image
platform is the operating system used to acquire the image
pwhash the password hash should be the character '0' for no password
char contains one of the following letters
b => best compression
f => fastest compression
n => no compression
Header definition found in Encase 1
A fifth line is present which is empty
1 \r\n
main \r\n
c \t n \t a \t e \t t \t m \t u \t p \t r \r\n
case number \t evidence number \t unique description \t examiner name \t notes \t acquired date \t system date \t pwhash \t char \r\n
\r\n
case number, evidence number, unique description, examiner name, and notes are free form strings (except for \t and \n)
acquired date, and system date are in the form "2002 3 4 10 19 59", which is March 4, 2002 10:19:59
pwhash the password hash should be the character '0' for no password
char contains one of the following letters
b => best compression
f => fastest compression
n => no compression
Header definition found in Encase 2, 3
A fifth line is present which is empty
1 \r\n
main \r\n
c \t n \t a \t e \t t \t av \t ov \t m \t u \t p \t r \r\n
case number \t evidence number \t unique description \t examiner name \t notes \t version \t platform \t acquired date \t system date \t pwhash \t char \r\n
\r\n
case number, evidence number, unique description, examiner name, and notes are free form strings (except for \t and \n)
acquired date, and system date are in the form "2002 3 4 10 19 59", which is March 4, 2002 10:19:59
version is the Encase version used to acquire the image
platform is the operating system used to acquire the image
pwhash the password hash should be the character '0' for no password
char contains one of the following letters
b => best compression
f => fastest compression
n => no compression
Header definition found in Encase 4 and 5
A fifth line is present which is empty
1 \r\n
main \r\n
c \t n \t a \t e \t t \t av \t ov \t m \t u \t p \r\n
case number \t evidence number \t unique description \t examiner name \t notes \t version \t platform \t acquired date \t system date \t pwhash \r\n
\r\n
case number, evidence number, unique description, examiner name, and notes are free form strings (except for \t and \n)
acquired date, and system date are in the form "2002 3 4 10 19 59", which is March 4, 2002 10:19:59
version is the Encase version used to acquire the image
platform is the operating system used to acquire the image
pwhash the password hash should be the character '0' for no password
Header found in linen 5
3 \n
main \n
a \t c \t n \t e \t t \t av \t ov \t m \t u \t p \n
unique description \t case number \t evidence number \t examiner name \t notes \t version \t platform \t acquired date \t system date \t pwhash \n
\n
srce \n
0 1 \n
p n id ev tb lo po ah gu aq \n
0 0 \n
-1 -1 \n
\n
sub \n
0 1 \n
p n id nu co gu \n
0 0 \n
1 \n
\n
unique description, case number, evidence number, examiner name, and notes are free form strings (except for \t and \n)
acquired date, and system date are in the form unix time stamp "1142163845", which is March 12 2006, 11:44:05
version is the Encase version used to acquire the image
platform is the operating system used to acquire the image
pwhash the password hash should be empty for no password
TODO the remaining values are currently unknown
Header found in linen 6
3 \n
main \n
a \t c \t n \t e \t t \t md \t sn \t av \t ov \t m \t u \t p \t dc \n
unique description \t case number \t evidence number \t examiner name \t notes \t model \t serial number \t version \t platform \t acquired date \t system date \t pwhash \t ? \n
\n
srce \n
0 1 \n
p n id ev tb lo po ah gu aq \n
0 0 \n
-1 -1 \n
\n
sub \n
0 1 \n
p n id nu co gu \n
0 0 \n
1 \n
\n
unique description, case number, evidence number, examiner name, notes, model, and serial number are free form strings (except for \t and \n)
acquired date, and system date are in the form unix time stamp "1142163845", which is March 12 2006, 11:44:05
version is the EnCase version used to acquire the image
platform is the operating system used to acquire the image
pwhash the password hash should be empty for no password
TODO the remaining values are currently unknown
|
